Overview

overview

10

Static

static

1

323e851ce2...20.exe

windows7-x64

10

323e851ce2...20.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    98s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe

  • Size

    36KB

  • MD5

    06ec1ed9031b5f8c57dd5c1550d2c26e

  • SHA1

    ca0ff93b43e81348b25151e666e024b88f1c05ba

  • SHA256

    323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20

  • SHA512

    b828a008ec92b1b423765368b7460b2ac3732b59058ecdbc8a48f88821bcc52279d9581c377be3231859f13f3ebc2a0aba14f7ee820d385e811d2e63ea293c01

  • SSDEEP

    192:tXU60V/WmoI+af4R9JNRcJLef3Rmtj0IRmtSgUoynaYgH9L1nnCQBRmlFQ93M3pc:tk60V/wI4PJhGYSGS10tdLVC+w7QSc

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
    "C:\Users\Admin\AppData\Local\Temp\323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2044
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7D1495C4-0B43-4660-BA80-48316717087A} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\ProgramData\Thunder\LiveUpdate.exe
      C:\ProgramData\Thunder\LiveUpdate.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\1.txt
    Filesize

    1.1MB

    MD5

    99cb9755677981518e59ba049e4b2e5a

    SHA1

    35a7899576f5bb2f0a99ea69e03acd4f9b63f831

    SHA256

    c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba

    SHA512

    12ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74

    Download Submit

  • C:\ProgramData\SqlVersion.dll
    Filesize

    911KB

    MD5

    8e92fc9c2dda5615002948562c612ef3

    SHA1

    bebacda192571508bb2010af7b9deafcf9948299

    SHA256

    a94cee609049fc7851f5a9c31a52d6bd9748ce3f4fd820689e9ff651dbf31ce8

    SHA512

    0e5a7b6a1fdf0f816161219e468fb981a75b8e8f415f1053cd7c64e9673b1a58b55c3b0e53e9b76edac7c40df01d404b5914ce775de1914a49c06c884dbf5b28

    Download Submit

  • C:\ProgramData\Thunder\LiveUpdate.dat
    Filesize

    29KB

    MD5

    0548ecfa93438e3126129b52c8aec910

    SHA1

    2bc74dc6ac92a8b92da0b90a92225304d1addd0b

    SHA256

    0951a0e07f3bf8fd0b2bc2bb84f2f9cb462b9e348eebc98e2b6de74c58eb13f8

    SHA512

    2fc3843c17ebfac7a420e7c75a68c6add88e53e137a9fdc3cc43dc0e1fb9dc5427890b7f1779853411e8c3d35fc6c0cfe29959220d11692ef69435905c229a56

    Download Submit

  • C:\ProgramData\Thunder\LiveUpdate.exe
    Filesize

    470KB

    MD5

    96e4b47a136910d6f588b40d872e7f9d

    SHA1

    0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

    SHA256

    f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

    SHA512

    6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

    Download Submit

  • C:\ProgramData\Thunder\LiveUpdate.exe
    Filesize

    470KB

    MD5

    96e4b47a136910d6f588b40d872e7f9d

    SHA1

    0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

    SHA256

    f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

    SHA512

    6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

    Download Submit

  • C:\ProgramData\setting.ini
    Filesize

    13B

    MD5

    51fcc726c0f8e4507e109bb1756e6f87

    SHA1

    7c2d5d03da604854b49f83e7665c92fda5864a12

    SHA256

    18d440fabffb47e3043a9ec3e0bb473ef937a93bf4d90ffa8814707675f3944a

    SHA512

    a968c65efd6632d90e5e81d538f86ea41fb81bc5a6bb0b40e51e21b25d604e9cc0596a5e1d0fd307b6038ee5dd27faa0fb1d0b17e3012f8c49a2df2dc27b1fa1

    Download Submit

  • \ProgramData\SqlVersion.dll
    Filesize

    911KB

    MD5

    8e92fc9c2dda5615002948562c612ef3

    SHA1

    bebacda192571508bb2010af7b9deafcf9948299

    SHA256

    a94cee609049fc7851f5a9c31a52d6bd9748ce3f4fd820689e9ff651dbf31ce8

    SHA512

    0e5a7b6a1fdf0f816161219e468fb981a75b8e8f415f1053cd7c64e9673b1a58b55c3b0e53e9b76edac7c40df01d404b5914ce775de1914a49c06c884dbf5b28

    Download Submit

  • memory/1076-90-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-99-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-100-0x0000000010000000-0x000000001017B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1076-88-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-89-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-97-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-91-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-92-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-94-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1824-95-0x0000000002840000-0x0000000002847000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1824-85-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1824-80-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1824-86-0x0000000002840000-0x0000000002847000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1824-87-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1824-79-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1824-126-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download